Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.

The federal Computer Fraud and Abuse Act of 1986 (“CFAA”) has generated controversy and disagreement among courts and commentators regarding the scope of its application. The statute, 18 U.S.C. § 1030, which provides for both criminal and civil penalties, prohibits accessing a computer or protected computer “without authorization” or in a manner “exceeding authorized access.” Courts are divided as to the meaning of these phrases, yet the U.S. Supreme Court recently declined the opportunity to resolve the circuit split that has developed, leaving the exact scope of this important statute in question.

In one of the first federal appellate court rulings following the Ninth Circuit’s decision in Robins v. Spokeo, the Eighth Circuit delivered a pyrrhic victory for customers victimized by a data breach. In Kuhns v. Scottrade, the Eighth Circuit ruled that, although the plaintiff had established standing to pursue a claim against Scottrade, Inc. resulting from a data breach that occurred in 2013, the customer failed to sufficiently allege that the brokerage firm breached its contractual obligations and affirmed dismissal of the case.

Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

Over the past several years, we have witnessed a fundamental shift in orchestrated cyber-attacks from hacking credit card data and healthcare information to targeting businesses, their operations and bottom lines.

New York’s powerful Department of Financial Services (DFS) upended cybersecurity regulation with its new and sweeping “Cybersecurity Requirements for Financial Services Companies,” which took effect on March 1, 2017. But is the financial industry ready and equipped to comply with this detailed regulation? According to a recent survey published by Ponemon Institute and sponsored by Fasoo, the answer is an unequivocal “no.”

New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year. Companies covered by the regulation must comply with the first round of requirements by August 28th.

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

In complying with the New York State Department of Financial Services (DFS) cybersecurity regulation, financial institutions have a choice. They can either employ “continuous monitoring” or, instead, conduct annual “penetration testing” and bi-annual “vulnerability assessments.”

New survey reports less than half of financial firms will meet deadline

by Kade N. Olsen and Craig A. Newman on June 16, 2017

A new survey by the Ponemon Institute reports that less than half of the financial institutions covered by New York’s sweeping new cybersecurity regulation say they will “likely” meet next February’s compliance deadline. And even more stunning is the fact that only 13% of those institutions surveyed reported “with certainty” that they would be in full compliance with the regulation by next year.

In our series of posts leading up to the August 28th deadline for the first phase of requirements under New York’s cybersecurity regulation, the Patterson Belknap team looks at issues that institutions face as they implement the new rules.

Faced with an approaching August 28th deadline, the more than 3,000 financial institutions that do business in New York should be knee-deep in implementing the first wave of requirements under the State’s sweeping and unprecedented cybersecurity regulation.

Justice Shirley Kornreich recently issued one of the few New York state court decisions that address the Computer Fraud and Abuse Act (“CFAA”). Spec Simple, Inc. v. Designer Pages Online LLC, No. 651860/2015, 2017 BL 160865 (N.Y. Sup. Ct. May 10, 2017). The CFAA criminalizes both accessing a computer without authorization and exceeding authorized access and thereby obtaining information from any protected computer. Id. at *3 (citing 18 U.S.C. § 1030(a)(2)(C)). The CFAA also provides a civil cause of action to any person who suffers damage or loss because of a violation of the CFAA. Id. at *4 (citing 18 U.S.C. § 1030(g)). As discussed below, the decision provides a helpful look into the interpretation of CFAA claims in the future.

For healthcare insurers that operate in New York, data security regulation has gotten more complicated. The U.S. Department of Health and Human Services’ Office for Civil Rights has been the industry’s primary data security regulator.

While courts and the Federal Rules of Evidence take an increasingly pragmatic approach to the question of when inadvertent disclosure of privileged information results in waiver, a recent federal magistrate’s ruling serves as a potent warning that use of a file-sharing site—without sufficient safeguards—may constitute a waiver. Harleysville Insurance Co. v. Holding Funeral Home, Inc., No. 1:15-cv-00057 (W.D. Va. Feb. 9, 2017) is the first published decision to find that the use of a file-sharing site to exchange potentially privileged information constituted a waiver of the attorney-client privilege and work product protection—because the company failed to password protect its transmission.

Back in December of last year, we reported that for the first time, a U.S. law firm – Johnson & Bell, a mid-sized Chicago firm – was publicly named in a class action data security lawsuit. Last month, the firm obtained a significant victory in the case.

Over the last few months, the New York Department of Financial Services (“DFS”) cybersecurity regulation has undergone multiplerevisions. But late last week, DFS issued its final regulation, which will go into effect on March 1, 2017.

New York’s Department of Financial Services issued its final Cybersecurity Regulation last night with an effective date of March 1, 2017. For a comparison between the previous proposal and the final regulation, please click here.

Back in December 2013, a U.S. magistrate issued a seemingly routine warrant in a narcotics case demanding that Microsoft turn over messages from a customer’s email account that resided on a server in Ireland. That warrant, which issued under a 1986 law called the Stored Communications Act (“SCA”), 18 U.S.C. § 2703, is still being debated today.

In what New York’s top federal prosecutor called a “wake-up call for law firms around the world,” three Chinese citizens have been charged with hacking into the servers of two prominent – but unidentified – international law firms to steal confidential client information in connection with pending M&A deals

Today, Reuters reported that the New York Department of Financial Services (“DFS”) will delay the effective date of its new cybersecurity regulation. According to a “person familiar with the matter,” the DFS will publish a new version of the cyber security regulation on December 28, 2016, and the effective date for the rule will now be March 1, 2017.

Industry groups continued their assault yesterday on New York’s “first-in-the-nation” cybersecurity regulation by telling state lawmakers that the proposed regime was inflexible and unfairly burdened smaller institutions.

Just weeks before the Cuomo administration’s “first-in-the-nation” cybersecurity regulation is scheduled to go into effect, the New York State Assembly Standing Committee on Banks will open a public hearing on Monday, December 19th into the controversial plan to require financial institutions that operate in New York to comply with a series of strict – and in some cases, unprecedented – data security measures.

Last week marked the first time a U.S. law firm was publicly named in a class action data security lawsuit. Originally filed in April 2016, the class action complaint in Shore v. Johnson & Bell, Ltd., 16-cv-4363 (N.D. Ill.), was unsealed last week after months of back-and-forth over whether the alleged security flaws had been patched. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of “systematically exposing confidential client information and storing client data without adequate security.” The lawsuit makes no claim that any client information has been stolen or misused. Even so, the filing of this complaint amplifies the risks already facing law firms – including reputational – at a time when data security is a top concern for law firms and their clients.

This is the second installment in our interview with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, the cyber risk analytics company. Here, Steven discusses the importance of aligning an institution’s risk profile with its cybersecurity plan and recommendations for bridging the gap between IT and the boardroom.

As part of Patterson Belknap’s continuing focus on the New York Department of Financial Services (DFS) proposed cybersecurity regulation, we sat down with Steven Grossman, VP Strategy & Enablement at Bay Dynamics, a cyber risk analytics company, to talk about cybersecurity in a highly regulated environment. In the first installment of our 2-part interview with Steven, he discusses implementation of the new regulation and the fact that organizations shouldn’t confuse regulatory compliance with effective cybersecurity planning and strategy.

This is our final installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on third-party vendors and business partners, including law firms.

This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.

This is the first installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. The Patterson Belknap Privacy and Data Security Team has studied the regulation, its legislative and regulatory underpinnings, and practical consequences.

In a ruling issued this morning, the Federal Trade Commission found that LabMD, the defunct Atlanta-based cancer detection lab, failed to protect patient information and is liable for unfair data security practices. The Commission’s ruling reverses an Initial Decision by an administrative law judge (ALJ) that had dismissed the FTC charges against LabMD.

A contentious legal battle over data security between the Federal Trade Commission and LabMD, a small medical testing lab, is chronicled in the latest edition of Bloomberg Businessweek. Dune Lawrence’s report raises lingering questions about the FTC’s prosecution of a now-defunct company, tampered evidence and regulatory overreach.

For months, the technology and business communities have been waiting anxiously for a Federal appeals court ruling on whether American companies can be forced to turn over customer information to U.S. law enforcement when that information is stored on servers abroad. It’s the result of a legal appeal filed last year by Microsoft Corporation that was argued before the U.S. Court of Appeals for the Second Circuit more than seven months ago.

Recent surveys tell us that cybersecurity is the top risk faced by corporate America. The Bank Director’s 2016 Risk Practices survey – out yesterday – disclosed that three quarters of bank executives and board members believe cybersecurity is their top concern. And their general counsel agree. In another recent study, general counsel said that cybersecurity was their top area of organizational risk as well.

Faced with the prospect of overturning a decision by one of its own administrative law judges, the Federal Trade Commission on Tuesday explored ways in which to render a narrow decision. The argument was the most recent chapter in the long running data security enforcement action against LabMD, the now defunct medical testing laboratory.

After several fits and starts, Congress finally passed the Cyber Information Sharing Act of 2015 (CISA) as part of the omnibus budget bill. President Obama signed the bill into law on December 18, 2015.

The U.S. Department of Homeland Security’s (DHS) top privacy official said today that a “clear mandate” from top management is the foundation of an organization’s ability to establish and implement an effective data security and privacy plan.

Cyber-attacks have become a matter of everyday reality for all businesses: regardless of industry or size, it is no longer if a data breach will happen, but when. And waiting for a breach to occur before designing and implementing a cyber incidence response plan is generally a recipe for disaster.

by Alejandro H. Cruz, Craig A. Newman and James Zucker on August 31, 2015

With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice. Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters.

About Our Blog

DataSecurityLaw.com is the firm’s resource for the latest news, analysis, and thought leadership in the critical area of privacy and cybersecurity law. Patterson Belknap’s Privacy and Data Security practice provides public and private enterprises, their leadership teams and boards with comprehensive services in this critical area. Our team of experienced litigators, corporate advisors and former federal and state prosecutors advises on a broad range of privacy and data protection matters including cyber preparedness and compliance, data breach response, special board and committee representation, internal investigations, and litigation.